Share this story

We described the scale of the attack as "Internet-threatening," elaborating further that the attack, peaking at more than 300 gigabits per second, "is the kind of scale that threatens the core routers that join the Internet's disparate networks."

Subsequently, posts on Gizmodo and The Guardian called into question these assessments, with Gizmodo casting doubt on the description by asking some "simple questions" and The Guardian specifically claiming that it was "shoddy journalism."

We stand by our original description and reporting. Here's why.

A network of networks

Before looking at the anti-Spamhaus attacks specifically, it's important to know a little about how the Internet is constructed. The Internet is often described as a "network of networks." Organizations around the world have their own independently owned and operated networks—university campuses, the retail Internet Service Providers (ISPs) that provide DSL, cable, and more exotic connections to homes and businesses, corporations, government departments, and so on and so forth.

All of these are useful networks in their own right, but they become enormously more useful when they're joined up. Joining up networks creates an internetwork. The first internetwork infrastructure came from the US government, and the first internetwork, ARPANET, joined a number of US universities in the 1970s.

Through the development of a series of other internetworks—both academic and commercial—and the establishment of international internetworks, we came to the situation we have today.

A small number of companies (about a dozen, though it's hard to know with absolute certainty) own and operate high-speed, transnational networks. These companies, called Tier 1 providers, pass traffic between one another freely, providing transfers between smaller networks. This free traffic transfer is called peering.

They provide the thing that's closest to the Internet's "backbone" (though the term isn't really accurate: there's no single fragile spine, but rather a complex mesh of redundant, interconnected networks): from a Tier 1 provider, it's possible to send traffic to any public IP address.

Purchasing connectivity from the Tier 1 providers are the Tier 2 providers. Tier 2 providers buy Internet connectivity from Tier 1 providers, which is called transit. However, they also connect directly to other Tier 2 providers, with peering relationships. Tier 2 providers can be regional, but they can also be large transnational networks.

Enlarge/ How customers connect to ISPs and ISPs connect between tiers.

Large Tier 2 providers can peer with many, many other Tier 2 providers, with the result that Internet traffic from that provider only infrequently has to use the Tier 1 connectivity. The distinction between Tier 1 and Tier 2 is not size or scale as such; it's simply that Tier 1 networks only use peering. Tier 2 networks have to buy at least some transit.

Tier 1 providers generally sell only to Tier 2 providers. Tier 2 providers may sell directly to end users, or they may sell to Tier 3 providers: ISPs who only buy transit and don't have any peering.

Tier 2 and 3 providers fall into two further categories. They can be multi-homed, with multiple transit connections to different networks, or they can be single homed, with just one transit link.

When two providers want to connect to one another, whether for peering or for transit, they obviously need a physical link of some kind. For providers with only a few connections, one-off point-to-point connections known as private network interconnects (PNIs) are used. But if you want to connect with lots of peers, you don't want to build lots of individual expensive optic fiber links. You want to consolidate: bring all the peers together in one place, and then stick a router or a network switch between them all to join them up.

As a result, around the globe are dotted a few hundred Internet Exchanges (IXs). At each IX, there may be hundreds of providers from all three tiers coming together. The IXs generally use Ethernet infrastructure for their internal connectivity. Gigabit and 10 gigabit Ethernet are predominant, but 100 gigabit Ethernet is starting to gain more use, though its cost today prevents it from being used as the standard technology. Longer links may be gigabit, 10 gigabit, 40 gigabit, or 100 gigabit. In principle, faster speeds still are possible through aggregating these 100 gigabit connections, but in practice, today's IXs are mainly 10 gigabit (or aggregated multiples thereof) networks.

IXs are important. Major service providers such as Google, Microsoft, and Facebook connect to IXs. If two Tier 2 operators can send traffic directly to each other, via peering at an IX, that's cheaper and more efficient than going via transit to a Tier 1.

Enter Spamhaus, STOPhaus, and CloudFlare

STOPhaus doesn't care much for Spamhaus.

Twitter

Spamhaus provides useful services to e-mail administrators wishing to keep junk e-mail out of the servers they own and operate. STOPhaus is an informal group that doesn't like Spamhaus. STOPhaus members wanted to knock Spamhaus off the Internet using a distributed denial of service (DDoS) attack that flooded Spamhaus's systems and drowned out legitimate traffic. They did so by aiming a flood of DNS traffic at Spamhaus's servers.

In response, Spamhaus started using the services of CloudFlare, a company that specializes in providing robust serving that's difficult to take offline with DDoS attacks. CloudFlare does this by replicating content around the globe and using a routing technique called anycast. Anycast allows servers with the same IP address to coexist simultaneously around the globe. Internet providers will generally route traffic to the geographically nearest instance of those anycasted IP addresses.

This does two things. By picking a site that's geographically close, it cuts the latency to access the site, making it react faster. Second, it dilutes the effect of DDoS attacks. Instead of a distributed attack using systems around the world being able to focus its flood on a single IP address in a single location, each attacking system can only focus on a nearby target.

Two attackers on opposite sides of the world may still be aiming at the same victim IP address, but their traffic will go to different computers that are relatively nearby.